ISO 27001 A.8.22: Segregation of networks
What This Control Requires
Groups of information services, users and information systems shall be segregated in the organization's networks.
In Plain Language
A flat network is an attacker's dream. One compromised workstation and they can reach every server, database, and service you run. Network segregation breaks that path by dividing your network into zones based on trust levels and security requirements.
Systems with similar security needs get grouped together, with controlled access points between groups. Production servers stay separate from dev environments. User workstations are isolated from server infrastructure. Guest WiFi never touches the corporate network.
Modern approaches go further with micro-segmentation (fine-grained policies controlling traffic between individual workloads) and zero-trust networking (every access request is authenticated and authorised regardless of where it comes from on the network).
How to Implement
Design your segmentation architecture based on risk assessment and business needs. Typical trust zones include: external-facing DMZ, internal user network, server network, database network, management network, development and test network, guest and visitor network, IoT/OT network, and cloud virtual networks.
Use a combination of technologies to implement segmentation. VLANs create logical segments within physical infrastructure. Firewalls between segments control inter-segment traffic. Access control lists (ACLs) on network devices add another filtering layer. For virtualised and cloud environments, use micro-segmentation for granular control.
Define traffic flow policies between segments. Apply default-deny and only allow specifically authorised traffic. Document every allowed flow - source, destination, protocol, port, and business justification. Review firewall rules regularly and prune anything unnecessary.
For critical workloads, implement micro-segmentation using host-based firewalls or software-defined networking. This controls traffic at the individual workload level and is especially effective in cloud and virtualised environments. Tools like VMware NSX, cloud-native security groups, and host-based firewalls all support this.
Consider zero-trust principles. Treat all segments as untrusted. Authenticate and authorise every access request regardless of source. Use identity-based controls rather than relying on network location. Implement continuous verification instead of one-time authentication.
Monitor inter-segment traffic for policy violations and anomalies. Verify that actual traffic flows match your defined policies. Alert on unauthorised cross-segment traffic. Review your network architecture periodically to make sure segmentation keeps pace with how your environment evolves.
Evidence Your Auditor Will Request
- Network segmentation architecture documentation and diagrams
- Firewall rules controlling inter-segment traffic
- VLAN configuration and segment definitions
- Traffic flow policies documenting authorized inter-segment communications
- Network architecture review records
Common Mistakes
- Network is flat with all systems on the same segment or VLAN
- Segmentation exists but firewall rules between segments are too permissive
- Development and test environments share the same network as production
- Guest and IoT devices share the corporate network without isolation
- Cloud virtual networks are not segmented with the same rigor as on-premises
Related Controls Across Frameworks
| Framework | Control ID | Relationship |
|---|---|---|
| SOC 2 | CC6.6 | Related |
| GDPR | Art.32 | Partial overlap |
| NIS2 | Art.21(2)(d) | Related |
Frequently Asked Questions
What is micro-segmentation?
How does zero-trust relate to network segregation?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment